From c0320e5b1fc9257ef87956afc845fcbc579a080c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 14 Nov 2022 15:16:32 +0100
Subject: [PATCH 1/4] Add tests for sysctls in /usr/local/lib/sysctl.d

Sysctl options can also be defined in /usr/local/lib/sysctl.d/
---
 .../tests/correct_value_usr_local_lib.pass.sh      | 14 ++++++++++++++
 .../sysctl/tests/wrong_value_usr_local_lib.fail.sh | 14 ++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh
 create mode 100644 shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh

diff --git a/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh
new file mode 100644
index 00000000000..3e366a9162f
--- /dev/null
+++ b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+{{% if SYSCTLVAL == "" %}}
+# variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}}
+{{% endif %}}
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /usr/local/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf
+mkdir /usr/local/lib/sysctl.d/
+echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /usr/local/lib/sysctl.d/correct.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}"
diff --git a/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh
new file mode 100644
index 00000000000..fee34ea272f
--- /dev/null
+++ b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+{{% if SYSCTLVAL == "" %}}
+# variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}}
+{{% endif %}}
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf
+mkdir /usr/local/lib/sysctl.d/
+echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_WRONG_VALUE }}}" >> /usr/local/lib/sysctl.d/wrong.conf
+
+# Setting correct runtime value
+sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}"

From 81d45583b4ebd42302d9734447082afc97587ed8 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 14 Nov 2022 15:19:15 +0100
Subject: [PATCH 2/4] sysctl: Check /usr/local/lib/sysctl.d for configs

Update the template so that /usr/local/lib/sysctl.d is also checked for
sysctl onfigurations.
---
 shared/templates/sysctl/oval.template | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index bbe646274f6..3fe6de1c185 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -138,6 +138,8 @@
         <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/lib/sysctl.d/*.conf"
                    test_ref="test_{{{ rule_id }}}_static_usr_lib_sysctld"/>
 {{% endif %}}
+          <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/local/lib/sysctl.d/*.conf"
+                    test_ref="test_{{{ rule_id }}}_static_usr_local_lib_sysctld"/>
       </criteria>
 {{% if target_oval_version >= [5, 11] %}}
       <criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_{{{ rule_id }}}_defined_in_one_file" />
@@ -181,6 +183,13 @@
   </unix:symlink_state>
 {{% endif %}}
 
+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_usr_local_lib_sysctld" version="1"
+                          check_existence="any_exist"
+                          check="all"
+                          comment="{{{ SYSCTLVAR }}} static configuration in /usr/local/lib/sysctl.d/*.conf" state_operator="OR">
+    {{{ state_static_sysctld("usr_local_lib_sysctld") }}}
+  </ind:textfilecontent54_test>
+
   <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ rule_id }}}" version="1">
     <object_component object_ref="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" item_field="filepath" />
   </local_variable>
@@ -190,7 +199,7 @@
   <ind:textfilecontent54_object id="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" version="1">
     <set>
       <object_reference>object_static_etc_sysctls_{{{ rule_id }}}</object_reference>
-      <object_reference>object_static_run_usr_sysctls_{{{ rule_id }}}</object_reference>
+      <object_reference>object_static_run_usr_local_sysctls_{{{ rule_id }}}</object_reference>
     </set>
   </ind:textfilecontent54_object>
 
@@ -201,6 +210,13 @@
     </set>
   </ind:textfilecontent54_object>
 
+  <ind:textfilecontent54_object id="object_static_run_usr_local_sysctls_{{{ rule_id }}}" version="1">
+    <set>
+      <object_reference>object_static_usr_local_lib_sysctld_{{{ rule_id }}}</object_reference>
+      <object_reference>object_static_run_usr_sysctls_{{{ rule_id }}}</object_reference>
+    </set>
+  </ind:textfilecontent54_object>
+
   <ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ rule_id }}}" version="1">
     <set>
       <object_reference>object_static_run_sysctld_{{{ rule_id }}}</object_reference>
@@ -227,6 +243,12 @@
     {{{ sysctl_match() }}}
   </ind:textfilecontent54_object>
 
+  <ind:textfilecontent54_object id="object_static_usr_local_lib_sysctld_{{{ rule_id }}}" version="1">
+    <ind:path>/usr/local/lib/sysctl.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    {{{ sysctl_match() }}}
+  </ind:textfilecontent54_object>
+
 {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
   <ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ rule_id }}}" version="1">
     <ind:path>/usr/lib/sysctl.d</ind:path>

From e863b901b4cca177a67dd11d40a5b4d9ce6deaba Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 14 Nov 2022 15:35:17 +0100
Subject: [PATCH 3/4] sysctl: Align Ansible and Bash remediations

The Ansible remediation for some products were not aligned with the Bash
one.
---
 shared/templates/sysctl/ansible.template | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
index edc4d3fb667..d67cdd2068c 100644
--- a/shared/templates/sysctl/ansible.template
+++ b/shared/templates/sysctl/ansible.template
@@ -9,12 +9,15 @@
     paths:
       - "/etc/sysctl.d/"
       - "/run/sysctl.d/"
+{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
+      - "/usr/lib/sysctl.d/"
+{{% endif %}}
     contains: '^[\s]*{{{ SYSCTLVAR }}}.*$'
     patterns: "*.conf"
     file_type: any
   register: find_sysctl_d
 
-- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
+- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from config files
   replace:
     path: "{{ item.path }}"
     regexp: '^[\s]*{{{ SYSCTLVAR }}}'

From 528715c89910afdfb0287b7f405d6849b5701ecb Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 14 Nov 2022 15:36:59 +0100
Subject: [PATCH 4/4] sysctl: remove settings in /usr/local/lib/sysctl.d

Also check for sysctl configs /usr/local/lib/sysctl.d for sysctl options
and comment them out.
---
 shared/templates/sysctl/ansible.template | 1 +
 shared/templates/sysctl/bash.template    | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
index d67cdd2068c..3ac5d072fcf 100644
--- a/shared/templates/sysctl/ansible.template
+++ b/shared/templates/sysctl/ansible.template
@@ -9,6 +9,7 @@
     paths:
       - "/etc/sysctl.d/"
       - "/run/sysctl.d/"
+      - "/usr/local/lib/sysctl.d/"
 {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
       - "/usr/lib/sysctl.d/"
 {{% endif %}}
diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
index 27935c33612..83f50a74a06 100644
--- a/shared/templates/sysctl/bash.template
+++ b/shared/templates/sysctl/bash.template
@@ -6,9 +6,9 @@
 
 # Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
 {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
-for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
 {{% else %}}
-for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 {{% endif %}}
   matching_list=$(grep -P '^(?!#).*[\s]*{{{ SYSCTLVAR }}}.*$' $f | uniq )
   if ! test -z "$matching_list"; then